7.4. Security Process Data and Metrics

💡 First Principle: You cannot manage what you cannot measure — but you can easily measure the wrong things and create a false sense of security. Effective security metrics connect operational data to business outcomes: they answer "are we getting more secure over time?" and "where should we invest next?" not just "how many events did we process?" Metrics that measure activity without measuring outcomes produce green dashboards that hide red risk.

The distinction between Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) is essential: KPIs measure how well the security program is executing its processes (operational efficiency), while KRIs measure the organization's exposure to adverse events (risk posture). Both are needed; neither alone is sufficient.

Why this matters: Exam questions test whether you can select the right metric for the right purpose — distinguishing between activity metrics (volume of events processed), effectiveness metrics (MTTD, MTTR), and risk metrics (risk exposure trend). Presenting activity metrics as evidence of program effectiveness is a common distractor pattern.

⚠️ Common Misconception: "A passing audit means an organization is secure." An audit certifies compliance with a specific standard's control requirements at a point in time (Type I) or over a period (Type II). It does not certify the absence of vulnerabilities, the adequacy of the standard itself, or the organization's security posture against threats outside the audit scope. Organizations with clean audit reports are breached regularly — the audit measured compliance, not security.